2 Networks - One linux box (security question)

Posted on 2003-02-25
Medium Priority
Last Modified: 2010-03-18
OK, I have a linux box setup where I work.  THe building is entirely Windows NT/2000 based, with no linux servers anywhere.  I have my linux box setup with 2 NICs in it, one connected to this corporate network (which has a T1 secured with a Sidewinder Firewall system), and the other NIC goes to a DSL router (completely open and unsecured).

I am using this DSL line to get Internet access, since the proxy server runs Microsoft proxy server, and machines need to have Microsoft Proxy Client installed to work.  Well, Linux won't connect through this proxy, that is why I have the extra DSL.

What I'm asking is how can I secure the corporate network connection from the DSL so that users can't hack through the DSL line, through my linux box (which is always on) and into the corporate network, completely bypassing the sidewinder firewall they have setup.

I need to know what to setup so that I can get Internet and run some services (such as apache and mySQL) through this DSL, but not allow any connections going through the DSL line to access the other NIC.

Please help me on this, it would be greatly appreciated.  Thanks in advance.
Question by:phraxion
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Expert Comment

ID: 8024408
If you have iptables, use gshield, http://muse.linuxmafia.org/gshield.html
However, if you run a service to the outside, no firewall will protect you if the service itself is vulnerable since the firewall is configured to allow all traffic to the service.

Bob Gunzel

Accepted Solution

jeordsta earned 400 total points
ID: 8037919

If all you are concerned about is people going _through_ your server then the answer is simple:

echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP

Even this is overkill. The first line tells the kernel never to retransmit packets. That is, never act as a router. This will stop any packets coming in on one interface from going out on the other.

The second line tells the kernel make in a policy (-P) to drop anything that is begin forwarded. But since you're already not allowing forwarding in your kernel this is overkill.

However, the much more difficult question is if you are worried about people hacking your computer and then using that to get access to the internal network. You must do some more subtle firewalling then to ensure that your computer doesn't get hacked. A good starting point is:

iptables -P INPUT DROP

This tells the kernel to drop any connection attempts unless they have been explicitly allowed. It is then possible to exercise fine grained control on what things you allow to access your computer. For example, if you want to run a web server you can explicitely allow connections to port 80 (http) by typing:

iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT

This tells the kernel to append (-A) a rule to the input firewalling table that anything of protocol tcp (-p tcp) arriving on the DSL interface (-i ppp0 I assume that that is your DSL interface) having destination port 80 (--dport 80) should be accepted. This would allow external access to the web service. If you wanted everyone on your internal network full access to your computer you would type:

iptables -A INPUT -i eth0 -j ACCEPT

(assuming that your internal nic is eth0).

Similarly for mysql. It is just a matter of finding out what port it uses and allowing it similarly to the http server above.

Author Comment

ID: 8038323
now... if after doing all of this, how can I test to see if I've secured off the internal network from any connections on the DSL line (which is coming in through eth1, my internet is eth0)?
Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.


Author Comment

ID: 8038339
eth0 = internal network
eth1 = DSL line (hooked to a router)

Expert Comment

ID: 8038625

Yes, it is quite easy to test. Gather the following equipment/information:
1) the IP address of the DSL modem
3) the IP of eth1 on your machine
2) an IP of a reliable server on the inside of the network which you can ping from your machine (through eth0)
3) a laptop with a NIC (running any operating system)

Now give the laptop identical configurations to the DSL modem and plug it into your eth1. Add a route to the internal IP like this:
route add reliableIP gw eth1addr
route add reliableIP mask eth1addr

And then ping the reliable ip from the laptop. You should be able to ping the reliable ip if kernel forwarding is on and ipforwarding is on. That is, if you do:
echo 1 > /proc/sys/net/ipv4/ip_forward
you should be able to ping the reliable host. Then doing the opposite:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
should disable pinging (as mentioned in my previous post only one of these lines is strictly necessary).

Good luck, Geordie.

Author Comment

ID: 8112294
works perfectly... thanks

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question